The concrete configuration of the SecurityFilterChain will of course depend heavily on your SSO provider, but there are also some mandatory and recommended Studio-specific settings. The following example has been created for an OAuth2 provider, and we will go through it step-by-step.

        @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http,
      RequestMatcher unauthenticatedRequestMatcher,
      RequestMatcher authenticatedRequestMatcher,
      SessionFixationProtectionStrategy sessionFixationProtectionStrategy,
      RequestMatcher csrfIgnoringRequestMatcher,
      RequestMatcher logoutRequestMatcher,
      CapLogoutHandler capLogoutHandler,
      LogoutSuccessHandler logoutSuccessHandler,
      AccessDeniedHandler accessDeniedHandler) throws Exception {
  return http
        .oauth2Login()
        .and()
        .authorizeHttpRequests()
        .requestMatchers(unauthenticatedRequestMatcher).permitAll()
        .requestMatchers(authenticatedRequestMatcher).authenticated()
        .and()
        .sessionManagement()
        .sessionAuthenticationStrategy(sessionFixationProtectionStrategy)
        .and()
        .csrf()
        .ignoringRequestMatchers(csrfIgnoringRequestMatcher)
        .and()
        .exceptionHandling()
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .logout()
        .logoutRequestMatcher(logoutRequestMatcher)
        .addLogoutHandler(capLogoutHandler)
        .logoutSuccessHandler(logoutSuccessHandler)
        .and()
        .headers()
        .and()
        .build();
}

      

There are different styles of writing such a configuration. In this example we create several Configurers on the HttpSecurity bean like e.g. logout(), customize their behavior by calling methods on them and then get back to the HttpSecurity bean with and() to continue with the next Configurer.

The first configurer oauth2Login() adds support for authentication using OAuth2 and is just an example. Your SSO provider might require different configuration.

authorizeHttpRequests() and the following requestMatchers configure which requests require authentication in the first place. Generally only the requests to /api/** are protected, but there are also some paths below that need to be accessible without authentication. To this end you can use the predefined RequestMatchers unauthenticatedRequestMatcher and authenticatedRequestMatcher.

sessionManagement() and csrf() are used to configure protection against session fixation attacks and CSRF with predefined strategies for Studio.

exceptionHandling(): The predefined accessDeniedHandler is a com.coremedia.rest.security.config.SimpleLogoutAccessDeniedHandler takes care of correct redirection if the request is a request to the logout url. Other requests receive a 403 response.

logout(): The predefined capLogoutHandler and logoutSuccessHandler take care of closing a user's CapSession and correct redirection on logout. The predefined logoutRequestMatcher is configured for path /logout and method POST and is also used to configure the accessDeniedHandler.

headers() adds some recommended security headers to the response.